Feat/saas sandbox adaptation (#2234)

* fix(box): trust Box-reported skill paths when filesystem is not shared

In separated deployments (Docker Compose, k8s sidecar, --standalone-box,
remote runtime.endpoint) the Box runtime owns its own filesystem, so the
skill package_root it reports via list_skills is not resolvable on the
LangBot side. LangBot's reload_skills and build_skill_extra_mounts
validated those paths with os.path.isdir() against its own filesystem,
which silently dropped every skill in such deployments — breaking the
sandbox skill feature for the nsjail/SaaS backend.

Add BoxService.shares_filesystem_with_box, derived from the connector
transport (stdio = shared, WebSocket = separated), with an explicit
override seam for tests/embedders. Gate both isdir() guards on it: keep
local validation in shared-fs stdio mode, trust Box-reported paths
otherwise. The Box runtime only reports skills found on its own
filesystem, so those paths are valid there by construction.

Adds topology-derivation tests (real connector, no mocks) and
skill-retention tests for both shared and separated filesystems.

* build(docker): ship a self-contained nsjail sandbox backend in the image

Compile nsjail 3.6 from source in a dedicated multi-stage build and carry
only the binary plus its runtime libs (libprotobuf32, libnl-route-3-200)
into the final image. This lets the Box runtime isolate sandboxed code via
nsjail user/mount/pid/net namespaces without a host Docker socket — the
prerequisite for running Box on LangBot Cloud (k8s), where mounting
docker.sock would grant node root and is not acceptable for multi-tenant.

The build toolchain (build-essential/bison/flex/protobuf-dev/libnl-dev)
stays in the nsjail-build stage and is not present in the shipped image.

Verified: image builds (583MB), nsjail --help exits 0, libraries resolve,
and the real NsjailBackend executes an isolated command end-to-end on a
v6.1/cgroup2 host matching LangBot Cloud prod (rlimit fallback path, since
container /sys/fs/cgroup is read-only; PID-namespace isolation confirmed).

* feat(box): SaaS guard to force a single global sandbox scope

Add system.limitation.force_box_session_id_template: when non-empty it
overrides every pipeline's box-session-id-template at resolve time, pinning
all queries to one shared sandbox (e.g. {global}). This is the authoritative,
unbypassable guard — it runs on every exec call, so editing the pipeline
config via API cannot escape it. The web UI locks the Sandbox Scope selector
via a combined box_scope_editable flag (box available AND not forced).

* build(deps): pin langbot-plugin==0.4.2b1 (nsjail cgroup container-safety beta)

* fix(web): show forced sandbox scope + make disabled tooltip tap-friendly

When a SaaS deployment pins every pipeline to a fixed sandbox scope via
system.limitation.force_box_session_id_template, the Sandbox Scope selector was
correctly locked but still displayed the pipeline's stored value (e.g. the
per-chat default), misrepresenting the scope that the runtime actually enforces
on every exec. Coerce the displayed/saved value to the forced template so the
locked selector truthfully shows the active scope (e.g. Global).

Also fix the disabled_tooltip being invisible on touch devices: hover-only Radix
tooltips never open without a pointer, so the explanation of why the field is
locked could not be read on mobile. Wrap the info icon so a tap toggles the
tooltip while desktop hover still works.

* feat(web): hide sidebar new-version prompt for edition=cloud

Cloud instances are upgraded centrally by the operator, so surfacing a GitHub
'new version available' badge to tenants is misleading and actionable only by
the operator. Skip the release check entirely when edition=cloud.

* style(web): prettier formatting for DisabledTooltipIcon ternary

* chore(deps): bump langbot-plugin to 0.4.2b2

Picks up the SDK fix that creates a read-write host_path before the
nsjail bind-mount, fixing the SaaS MCP shared-workspace sandbox failure
(exec exit 255 with empty output when host_path didn't exist).

* chore(deps): bump langbot-plugin to 0.4.2b3

Picks up the nsjail /dev-node fix so stdio MCP servers (uvx-launched) can
start under force_global_sandbox instead of failing with 'Connection closed
/ please check URL'.

* fix(web): show real MCP runtime status on installed extensions list

The installed-extensions list badge keyed solely off the enable flag, so a
server that was still CONNECTING (or in ERROR) was shown as 'Connected'.
Reflect the actual runtime_info.status (connecting/connected/error/disabled)
with matching colors, and poll quietly every 3s while any MCP server is
connecting so the badge transitions without a manual refresh.

* chore(deps): bump langbot-plugin to 0.4.2b4

Picks up the 30s start_managed_process timeout so cold uvx MCP bootstraps
don't get torn down mid-install.

* style(web): satisfy prettier — parenthesize nullish-coalescing in ternary

* fix(mcp): isolate transient test sessions from the shared Box session

A config-page 'test' (server_name='_', no persisted UUID) ran in the same
shared 'mcp-shared' Box session as live MCP servers. A failing test (e.g.
empty args) churned that shared session and tore down healthy, already-
connected servers — leaving them stuck after exhausting their retries.

Mark UUID-less sessions as transient, give them their own isolated Box
session ('mcp-test-<uuid>'), and fully delete that session on cleanup so
tests can never disturb live servers and don't leak sessions.

* fix(mcp): tear down transient test session after test completes

A successful config-page test left its isolated 'mcp-test-<uuid>' Box
session running (the lifecycle task blocks until shutdown). Wrap the
transient test coroutine so it always shuts the session down afterward,
preventing isolated test sessions from leaking.

web/src/app/home/components/dynamic-form/DynamicFormComponent.tsx

@@ -198,6 +198,35 @@ function WebhookUrlField({
   );
 }
 
+// Hover-only Radix tooltips never open on touch devices (no pointer hover),
+// so the ``disabled_tooltip`` explaining why a field is locked was invisible on
+// mobile. This wrapper makes the info icon also toggle the tooltip on tap while
+// keeping hover behavior on desktop.
+function DisabledTooltipIcon({ text }: { text: string }) {
+  const [open, setOpen] = useState(false);
+  return (
+    <TooltipProvider delayDuration={100}>
+      <Tooltip open={open} onOpenChange={setOpen}>
+        <TooltipTrigger asChild>
+          <button
+            type="button"
+            aria-label={text}
+            className="inline-flex shrink-0"
+            onClick={(e) => {
+              e.preventDefault();
+              e.stopPropagation();
+              setOpen((v) => !v);
+            }}
+          >
+            <Info className="h-3.5 w-3.5 text-muted-foreground cursor-help shrink-0" />
+          </button>
+        </TooltipTrigger>
+        <TooltipContent className="max-w-xs">{text}</TooltipContent>
+      </Tooltip>
+    </TooltipProvider>
+  );
+}
+
 export default function DynamicFormComponent({
   itemConfigList,
   onSubmit,
@@ -551,16 +580,7 @@ export default function DynamicFormComponent({
               : '';
           const renderDisabledTooltipIcon = () =>
             disabledTooltip ? (
-              <TooltipProvider delayDuration={100}>
-                <Tooltip>
-                  <TooltipTrigger asChild>
-                    <Info className="h-3.5 w-3.5 text-muted-foreground cursor-help shrink-0" />
-                  </TooltipTrigger>
-                  <TooltipContent className="max-w-xs">
-                    {disabledTooltip}
-                  </TooltipContent>
-                </Tooltip>
-              </TooltipProvider>
+              <DisabledTooltipIcon text={disabledTooltip} />
             ) : null;
 
           // Webhook URL fields are display-only; render outside of form binding

web/src/app/home/components/home-sidebar/HomeSidebar.tsx

@@ -1674,24 +1674,31 @@ export default function HomeSidebar({
         .catch(() => {});
     }
 
-    getCloudServiceClientSync()
-      .getLangBotReleases()
-      .then((releases) => {
-        if (releases && releases.length > 0) {
-          const latestStable = releases.find((r) => !r.prerelease && !r.draft);
-          const latest = latestStable || releases[0];
-          setLatestRelease(latest);
+    // Cloud edition is updated centrally by the operator, so end users should
+    // not see a "new version available" prompt in the sidebar. Skip the GitHub
+    // release check entirely for edition=cloud.
+    if (systemInfo?.edition !== 'cloud') {
+      getCloudServiceClientSync()
+        .getLangBotReleases()
+        .then((releases) => {
+          if (releases && releases.length > 0) {
+            const latestStable = releases.find(
+              (r) => !r.prerelease && !r.draft,
+            );
+            const latest = latestStable || releases[0];
+            setLatestRelease(latest);
 
-          const currentVersion = systemInfo?.version;
-          if (currentVersion && latest.tag_name) {
-            const isNewer = compareVersions(latest.tag_name, currentVersion);
-            setHasNewVersion(isNewer);
+            const currentVersion = systemInfo?.version;
+            if (currentVersion && latest.tag_name) {
+              const isNewer = compareVersions(latest.tag_name, currentVersion);
+              setHasNewVersion(isNewer);
+            }
           }
-        }
-      })
-      .catch((error) => {
-        console.error('Failed to fetch releases:', error);
-      });
+        })
+        .catch((error) => {
+          console.error('Failed to fetch releases:', error);
+        });
+    }
 
     getCloudServiceClientSync()
       .getGitHubRepoInfo()

web/src/app/home/pipelines/components/pipeline-form/PipelineFormComponent.tsx

@@ -8,6 +8,7 @@ import {
 import DynamicFormComponent from '@/app/home/components/dynamic-form/DynamicFormComponent';
 import N8nAuthFormComponent from '@/app/home/components/dynamic-form/N8nAuthFormComponent';
 import { useBoxStatus } from '@/app/infra/hooks/useBoxStatus';
+import { systemInfo } from '@/app/infra/http';
 import { Button } from '@/components/ui/button';
 import { useForm } from 'react-hook-form';
 import { zodResolver } from '@hookform/resolvers/zod';
@@ -420,11 +421,41 @@ export default function PipelineFormComponent({
     // opt-in via ``disable_if`` + ``disabled_tooltip`` rather than every page
     // hard-coding a banner. Field-level gating keeps unrelated fields
     // untouched.
+    //
+    // ``box_scope_editable`` folds the two reasons the Sandbox Scope selector
+    // can be locked into a single flag the yaml ``disable_if`` consumes:
+    //   1. Box sandbox is unavailable, or
+    //   2. the deployment pins all pipelines to a fixed scope via
+    //      ``system.limitation.force_box_session_id_template`` (SaaS).
+    const forcedBoxTemplate =
+      systemInfo.limitation?.force_box_session_id_template || '';
+    const boxScopeForced = !!forcedBoxTemplate;
     const stageSystemContext =
       stage.name === 'local-agent'
-        ? { box_available: boxAvailable }
+        ? {
+            box_available: boxAvailable,
+            box_scope_editable: boxAvailable && !boxScopeForced,
+          }
         : undefined;
 
+    // When the deployment pins every pipeline to a fixed sandbox scope (SaaS
+    // ``force_box_session_id_template``), the Sandbox Scope selector is locked.
+    // The runtime already overrides the scope on every exec, but the stored
+    // pipeline value can be anything (e.g. the per-chat default), which would
+    // make the locked selector display a scope that is NOT the one actually in
+    // effect. Coerce the displayed/saved value to the forced template so the UI
+    // truthfully reflects runtime behavior.
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const stageInitialValues: Record<string, any> =
+      (form.watch(formName) as Record<string, any>)?.[stage.name] || {};
+    const effectiveInitialValues =
+      stage.name === 'local-agent' && boxScopeForced
+        ? {
+            ...stageInitialValues,
+            'box-session-id-template': forcedBoxTemplate,
+          }
+        : stageInitialValues;
+
     return (
       <Card key={stage.name}>
         <CardHeader>
@@ -438,10 +469,7 @@ export default function PipelineFormComponent({
         <CardContent className="space-y-6">
           <DynamicFormComponent
             itemConfigList={stage.config}
-            initialValues={
-              // eslint-disable-next-line @typescript-eslint/no-explicit-any
-              (form.watch(formName) as Record<string, any>)?.[stage.name] || {}
-            }
+            initialValues={effectiveInitialValues}
             onSubmit={(values) => {
               handleDynamicFormEmit(formName, stage.name, values);
             }}

web/src/app/home/plugins/components/plugin-installed/ExtensionCardComponent.tsx

@@ -160,16 +160,34 @@ export default function ExtensionCardComponent({
             {cardVO.mode.toUpperCase()}
           </Badge>
         )}
-        <Badge
-          variant="outline"
-          className={`text-[0.7rem] flex-shrink-0 ${
-            cardVO.enabled
-              ? 'border-green-400 text-green-600 dark:text-green-400'
-              : 'border-gray-400 text-gray-600 dark:text-gray-300'
-          }`}
-        >
-          {cardVO.enabled ? t('mcp.statusConnected') : t('mcp.statusDisabled')}
-        </Badge>
+        {(() => {
+          // Reflect the real runtime status, not just the enabled flag.
+          // A server can be enabled but still CONNECTING or in ERROR — showing
+          // "Connected" in those cases is misleading.
+          const runtime = cardVO.enabled
+            ? (cardVO.runtimeStatus ?? 'connecting')
+            : 'disabled';
+          const badgeClass: Record<string, string> = {
+            connected: 'border-green-400 text-green-600 dark:text-green-400',
+            connecting: 'border-amber-400 text-amber-600 dark:text-amber-400',
+            error: 'border-red-400 text-red-600 dark:text-red-400',
+            disabled: 'border-gray-400 text-gray-600 dark:text-gray-300',
+          };
+          const badgeLabel: Record<string, string> = {
+            connected: t('mcp.statusConnected'),
+            connecting: t('mcp.connecting'),
+            error: t('mcp.statusError'),
+            disabled: t('mcp.statusDisabled'),
+          };
+          return (
+            <Badge
+              variant="outline"
+              className={`text-[0.7rem] flex-shrink-0 ${badgeClass[runtime] ?? badgeClass.disabled}`}
+            >
+              {badgeLabel[runtime] ?? badgeLabel.disabled}
+            </Badge>
+          );
+        })()}
       </div>
       <div className="text-[0.8rem] text-muted-foreground line-clamp-2 w-full">
         {cardVO.description ||

web/src/app/home/plugins/components/plugin-installed/PluginInstalledComponent.tsx

@@ -103,8 +103,8 @@ const PluginInstalledComponent = forwardRef<
     getExtensionList();
   }
 
-  async function getExtensionList() {
-    setLoading(true);
+  async function getExtensionList(silent = false) {
+    if (!silent) setLoading(true);
     try {
       const client = getCloudServiceClientSync();
 
@@ -200,12 +200,25 @@ const PluginInstalledComponent = forwardRef<
       setExtensionList(extensions);
     } catch (error) {
       console.error('Failed to fetch extension list:', error);
-      setExtensionList([]);
+      if (!silent) setExtensionList([]);
     } finally {
-      setLoading(false);
+      if (!silent) setLoading(false);
     }
   }
 
+  // While any MCP server is still connecting, poll quietly so the status badge
+  // transitions (connecting -> connected/error) without a manual refresh.
+  useEffect(() => {
+    const hasConnecting = extensionList.some(
+      (e) => e.type === 'mcp' && e.enabled && e.runtimeStatus === 'connecting',
+    );
+    if (!hasConnecting) return;
+    const timer = setInterval(() => {
+      getExtensionList(true);
+    }, 3000);
+    return () => clearInterval(timer);
+  }, [extensionList]);
+
   useImperativeHandle(ref, () => ({
     refreshPluginList: getExtensionList,
   }));

web/src/app/infra/entities/api/index.ts

@@ -325,6 +325,10 @@ export interface SystemLimitation {
   max_bots: number;
   max_pipelines: number;
   max_extensions: number;
+  /** When non-empty, every pipeline is forced to this Box sandbox-scope
+   *  template (e.g. ``{global}``) and the per-pipeline "Sandbox Scope"
+   *  selector is locked. Used by SaaS deployments. Empty = no restriction. */
+  force_box_session_id_template?: string;
 }
 
 export interface WizardProgress {